Application-Level Virtual Private Archibus

The Virtual Private Archibus (VPA) restriction is an SQL restriction attached to the current user session. VPA is a part of Archibus data security. It enables you to specify which raw (non-aggregated) data the user is allowed to see in forms, grids, charts, and other standard panels.

VPA:

• contains metadata, describing to which tables and/or fields it is applicable.
• applies to primary keys of the main table, and on fields in the main table which validate on the VPA table.
• is defined on a per-role or per-user basis and is initialized and added to each user’s profile on login.
• is established when the user signs in to the database and remains for the duration of the session.
• applies to the Select Values dialog as well as to the view.
• can be set globally on all similar tables or fields with a single statement.
• cannot be cleared by the user.

The Archibus programs: 

• always apply the VPA when displaying raw data in forms, grids, charts, and other standard panels.
• do not apply the VPA when saving data from forms.
• always apply the VPA when outputting raw data to paginated reports, Excel, or PDF.
• always apply the VPA when outputting raw data using Data Transfer Out.
• do not apply the VPA when importing raw data using Data Transfer In.
• do not apply the VPA to the process of calculating aggregated data.

Archibus defines VPA restrictions in these tables:

• Archibus Users table.
  • See Default Site and Building Code VPA Restrictions in the Archibus Users Table
• Archibus Roles table.
  • The role is then assigned to a user.
  • See VPA Restrictions in the Archibus Roles Table.

Additionally, Archibus offers VPA  Groups, which are flexible VPA restrictions describing groups of records based on mapping. VPA groups are handy for partitioning data between multiple customer organizations or multiple service providers in a flexible way. To use VPA groups, you must activate the AbSystemAdministration-UseVpaGroups application preference. When VPA groups are active, the system ignores VPA Building Lists and VPA Site Lists.

Note: VPA applies to the data retrieved by the program, but not to the calculations or actions. For instance, if a staff member runs the recalculate chargeback task, it recalculates for all data.

Note: If you make a VPA restriction and you are using the Archibus mobile apps, be sure to have your mobile users sync their devices or re-download background data. This ensures that the mobile users access the restricted set of data on their mobile devices.

Note:  If more than one VPA restriction is specified, the restrictions will be joined with an "AND".

See Also

• Default Site and Building Code VPA Restrictions in the Archibus Users Table

• VPA Restrictions in the Archibus Roles Table

• How to Enter an SQL-Type VPA Restriction on a Table 
• How to Enter a VPA Restriction for a Validated Table
• How to Enter a VPA Restriction for a Field

• How to Set up a VPA by Building in the Archibus Users Table
• How to Set Up a VPA by Site in the Archibus Users Table

• Customizing Business Logic and VPA Restrictions

• VPA  Groups
• You may also wish to review the hierarchical security topic to see how to restrict access to individual views for different staff members.